← Back to context

Comment by ncruces

2 years ago

Yep, I just made it tweakable at build, which was always the intent, although I expect the default to be popular.

https://github.com/ncruces/go-sqlite3/blob/67d859a5/vfs/adia...

That's unfortunate about the default parameters, but note that you can also replace the KDF altogether (besides just not using it).

You just need to implement this interface, with any HBSH construction and KDF:

https://github.com/ncruces/go-sqlite3/blob/67d859a5/vfs/adia...

If you keep the HBSH and change the KDF, your file format will be “compatible.”

6 comments

ncruces

Reply
d-z-m  2 years ago

> That's unfortunate about the default parameters, but note that you can also replace the KDF altogether (besides just not using it).

Right...I would argue if you're going to expose it to users as an option, your parameter set should meet the minimum hardness parameter set in the RFC. Yours is falling off the bottom.

  • ncruces  2 years ago

    I don't disagree, and after some consideration and testing, will use the RFC recommendation of 3 iterations, 4 lanes, 64 MiB RAM.

    However, it's also important to take note of how the KDF is used, and what is used by comparable solutions in equivalent settings.

    For instance, the official extension, sold by the SQLite authors, uses RC4:

    “For the "-textkey" option, up to 256 bytes of the passphrase are hashed using RC4 and the hash value becomes the encryption key. Note that in this context the RC4 algorithm is being used as a hash function, not as a cryptographic function, so the fact that RC4 is a cryptographically weak algorithm is irrelevant.”

    The textkey= parameter is not really appropriate for interactive use, rather it is a convenient way for a user to specify a key in text form, as a URI parameter, without weakening it (by e.g. making NULs impossible, and reserved characters inconvenient to encode).

    If you're taking a password from a user interactively, you should really be using your own password hashing, then using hexkey=. I'll try to make this clearer in the documentation.

    • d-z-m  2 years ago

      > However, it's also important to take note of how the KDF is used

      Agree completely. I'm glad that t=3 works for your usage requirements. Was hoping it wouldn't introduce an intolerable amount of latency.

      > and what is used by comparable solutions in equivalent settings.

      I interpreted the above and the linked documentation snippet as trying to say: "Yes, the KDF was sub-par, but alternatives are worse". Is this what you were trying to convey?

      The fact that the official encryption extension is using sub-par KDF(the sentence about it being a hash and not a "cryptographic" function is insane, btw) has no bearing on your project or its implementation.

      3 replies →